The Calculus of Computation: Decision Procedures with Applications - PowerPoint PPT Presentation

The Calculus of Computation: Decision Procedures with Applications to Verification by Aaron Bradley Zohar Manna Springer 2007 7- 1

Part II: Algorithm Reasoning 7. Quantified Linear Arithmetic 7- 2

Quantifier Elimination (QE) — algorithm for elminiation of all quantifiers of formula F until quantifier-free formula G that is equivalent to F remains Note: Could be enough F is equisatisfiable to F ′ , that is F is satisfiable iff F ′ is satisfiable A theory T admits quantifier elimination if there is an algorithm that given Σ-formula returns a quantifier-free Σ-formula G that is T -equivalent 7- 3

Example For Σ Q -formula F : ∃ x . 2 x = y , quantifier-free T Q -equivalent Σ Q -formula is G : ⊤ For Σ Z -formula F : ∃ x . 2 x = y , there is no quantifier-free T Z -equivalent Σ Z -formula. Let T b Z be T Z with divisibility predicates. For Σ b Z -formula F : ∃ x . 2 x = y , a quantifier-free T b Z -equivalent Σ b Z -formula is G : 2 | y . 7- 4

In developing a QE algorithm for theory T , we need only consider formulae of the form ∃ x . F for quantifier-free F Example: For Σ-formula G 1 : ∃ x . ∀ y . ∃ z . F 1 [ x , y , z ] � �� � F 2 [ x , y ] G 2 : ∃ x . ∀ y . F 2 [ x , y ] G 3 : ∃ x . ¬ ∃ y . ¬ F 2 [ x , y ] � �� � F 3 [ x ] G 4 : ∃ x . ¬ F 3 [ x ] � �� � F 4 G 5 : F 4 G 5 is quantifier-free and T -equivalent to G 1 7- 5

Quantifier Elimination for T Z Σ Z : { . . . , − 2 , − 1 , 0 , 1 , 2 , . . . , − 3 · , − 2 · , 2 · , 3 · , . . . , + , − , = , < } Lemma: Given quantifier-free Σ Z -formula F s.t. free( F ) = { y } . F represents the set of integers S : { n ∈ Z : F { y �→ n } is T Z -valid } . Either S ∩ Z + or Z + \ S is finite. where Z + is the set of positive integers Example: Σ Z -formula F : ∃ x . 2 x = y S : even integers S ∩ Z + : positive even integers — infinite Z + \ S : positive odd integers — infinite Therefore, by the lemma, there is no quantifier-free T Z -formula that is T Z -equivalent to F . Thus, T Z does not admit QE. 7- 6

Augmented theory � T Z � Σ Z : Σ Z with countable number of unary divisibility predicates for k ∈ Z + k | · Intended interpretations: k | x holds iff k divides x without any remainder Example: x > 1 ∧ y > 1 ∧ 2 | x + y is satisfiable (choose x = 2 , y = 2). ¬ (2 | x ) ∧ 4 | x is not satisfiable. Axioms of � T Z : axioms of T Z with additional countable set of axioms for k ∈ Z + ∀ x . k | x ↔ ∃ y . x = ky 7- 7

� T Z admits QE (Cooper’s method) Algorithm: Given � Σ Z -formula ∃ x . F [ x ], where F is quantifier-free Construct quantifier-free � Σ Z -formula that is equivalent to ∃ x . F [ x ]. Step 1 Put F [ x ] in NNF F 1 [ x ], that is, ∃ x . F 1 [ x ] has negations only in literals (only ∧ , ∨ ) and � T Z -equivalent to ∃ x . F [ x ] Step 2 Replace (left to right) s = t ⇔ s < t + 1 ∧ t < s + 1 ¬ ( s = t ) ⇔ s < t ∨ t < s ¬ ( s < t ) ⇔ t < s + 1 The output ∃ x . F 2 [ x ] contains only literals of form s < t , k | t , or ¬ ( k | t ) , where s , t are � T Z -terms and k ∈ Z + . 7- 8

Example: ¬ ( x < y ) ∧ ¬ ( x = y + 3) ⇓ y < x + 1 ∧ ( x < y + 3 ∨ y + 3 < x ) Step 3 Collect terms containing x so that literals have the form hx < t , t < hx , k | hx + t , or ¬ ( k | hx + t ) , where t is a term and h , k ∈ Z + . The output is the formula ∃ x . F 3 [ x ], which is � T Z -equivalent to ∃ x . F [ x ]. Example: x + x + y < z + 3 z + 2 y − 4 x ⇓ 6 x < 4 z + y 7- 9

Step 4 Let δ ′ = lcm { h : h is a coefficient of x in F 3 [ x ] } , where lcm is the least common multiple. Multiply atoms in F 3 [ x ] by constants so that δ ′ is the coefficient of x everywhere: hx < t ⇔ δ ′ x < h ′ t where h ′ h = δ ′ ⇔ h ′ t < δ ′ x where h ′ h = δ ′ t < hx k | hx + t ⇔ h ′ k | δ ′ x + h ′ t where h ′ h = δ ′ ¬ ( k | hx + t ) ⇔ ¬ ( h ′ k | δ ′ x + h ′ t ) where h ′ h = δ ′ The result ∃ x . F ′ 3 [ x ], in which all occurrences of x in F ′ 3 [ x ] are in terms δ ′ x . 3 with a fresh variable x ′ to form Replace δ ′ x terms in F ′ F ′′ : F 3 { δ ′ x �→ x ′ } 3 7- 10

Finally, construct 3 [ x ′ ] ∧ δ ′ | x ′ ∃ x ′ . F ′′ � �� � F 4 [ x ′ ] ∃ x ′ . F 4 [ x ′ ] is equivalent to ∃ x . F [ x ] and each literal of F 4 [ x ′ ] has one of the forms: (A) x ′ < a (B) b < x ′ (C) h | x ′ + c (D) ¬ ( k | x ′ + d ) where a , b , c , d are terms that do not contain x , and h , k ∈ Z + . 7- 11

Example: � T Z -formula ∃ x . 3 x + 1 > y ∧ 2 x − 6 < z ∧ 4 | 5 x + 1 � �� � F [ x ] after step 3 ∃ x . 2 x < z + 6 ∧ y − 1 < 3 x ∧ 4 | 5 x + 1 � �� � F 3 [ x ] Collecting coefficients of x (step 4), δ ′ = lcm(2 , 3 , 5) = 30 Multiply when necessary ∃ x . 30 x < 15 z + 90 ∧ 10 y − 10 < 30 x ∧ 24 | 30 x + 6 Replacing 30 x with fresh x ′ ∃ x ′ . x ′ < 15 z + 90 ∧ 10 y − 10 < x ′ ∧ 24 | x ′ + 6 ∧ 30 | x ′ � �� � F 4 [ x ′ ] ∃ x ′ . F 4 [ x ′ ] is equivalent to ∃ x . F [ x ] 7- 12

Step 5 (trickiest part): Construct left infinite projection F −∞ [ x ′ ] of F 4 [ x ′ ] by (A) replacing literals x ′ < a by ⊤ (B) replacing literals b < x ′ by ⊥ idea: very small numbers satisfy (A) literals but not (B) literals Let � h of (C) literals h | x ′ + c � δ = lcm k of (D) literals ¬ ( k | x ′ + d ) and B be the set of b terms appearing in (B) literals. Construct δ δ � � � F 5 : F −∞ [ j ] ∨ F 4 [ b + j ] . j =1 j =1 b ∈ B F 5 is quantifier-free and � T Z -equivalent to F . 7- 13

Intuition Property (Periodicity) if k | δ then k | n iff k | n + λδ for all λ ∈ Z That is, k |· cannot distinguish between k | n and k | n + λδ . By the choice of δ (lcm of the h ’s and k ’s) — no | literal in F 5 can distinguish between n and n + δ . δ δ � � � F 5 : F −∞ [ j ] ∨ F 4 [ b + j ] j =1 j =1 b ∈ B left disjunct � δ j =1 F −∞ [ j ] : Contains only | literals Asserts: no least n ∈ Z s.t. F [ n ]. For if there exists n satisfying F −∞ , then every n − λδ , for λ ∈ Z + , also satisfies F −∞ 7- 14

right disjunct � δ � b ∈ B F 4 [ b + j ] : j =1 Asserts: There is least n ∈ Z s.t. F [ n ]. For let b ∗ be the largest b in (B). If n ∈ Z is s.t. F [ n ], then ∃ j (1 ≤ j ≤ δ ) . b ∗ + j ≤ n ∧ F [ b ∗ + j ] In other words, if there is a solution, then one must appear in δ interval to the right of b ∗ Example (cont): ∃ x . 3 x + 1 > y ∧ 2 x − 6 < z ∧ 4 | 5 x + 1 � �� � F [ x ] ⇓ ∃ x ′ . x ′ < 15 z + 90 ∧ 10 y − 10 < x ′ ∧ 24 | x ′ + 6 ∧ 30 | x ′ � �� � F 4 [ x ′ ] 7- 15

By step 5, F −∞ [ x ] : ⊤ ∧ ⊥ ∧ 24 | x ′ + 6 ∧ 30 | x ′ , which simplifies to ⊥ . Compute δ = lcm { 24 , 30 } = 120 and B = { 10 y − 10 } . Then replacing x ′ by 10 y − 10 + j in F 4 [ x ′ ] produces � 10 y − 10 + j < 15 z + 90 ∧ 10 y − 10 < 10 y − 10 + j � 120 � F 5 : ∧ 24 | 10 y − 10 + j + 6 ∧ 30 | 10 y − 10 + j j =1 which simplifies to � 10 y + j < 15 z + 100 ∧ 0 < j � 120 � F 5 : . ∧ 24 | 10 y + j − 4 ∧ 30 | 10 y − 10 + j j =1 F 5 is quantifier-free and � T Z -equivalent to F . 7- 16

Example: ∃ x . (3 x + 1 < 10 ∨ 7 x − 6 > 7) ∧ 2 | x � �� � F [ x ] Isolate x terms ∃ x . (3 x < 9 ∨ 13 < 7 x ) ∧ 2 | x , so δ ′ = lcm { 3 , 7 } = 21 . After multiplying coefficients by proper constants, ∃ x . (21 x < 63 ∨ 39 < 21 x ) ∧ 42 | 21 x , we replace 21 x by x ′ : ∃ x ′ . ( x ′ < 63 ∨ 39 < x ′ ) ∧ 42 | x ′ ∧ 21 | x ′ . � �� � F 4 [ x ′ ] 7- 17

Then F −∞ [ x ′ ] : ( ⊤ ∨ ⊥ ) ∧ 42 | x ′ ∧ 21 | x ′ , or, simplifying, F −∞ [ x ′ ] : 42 | x ′ ∧ 21 | x ′ . Finally, δ = lcm { 21 , 42 } = 42 and B = { 39 } , so 42 � (42 | j ∧ 21 | j ) ∨ j =1 F 5 : 42 � ((39 + j < 63 ∨ 39 < 39 + j ) ∧ 42 | 39 + j ∧ 21 | 39 + j ) . j =1 Since 42 | 42 and 21 | 42, the left main disjunct simplifies to ⊤ , so that F is � T Z -equivalent to ⊤ . Thus, F is � T Z -valid. 7- 18

Example: ∃ x . 2 x = y � �� � F [ x ] Rewriting ∃ x . y − 1 < 2 x ∧ 2 x < y + 1 � �� � F 3 [ x ] Then δ ′ = lcm { 2 , 2 } = 2 , so by Step 4 ∃ x ′ . y − 1 < x ′ ∧ x ′ < y + 1 ∧ 2 | x ′ � �� � F 4 [ x ′ ] F −∞ produces ⊥ . 7- 19

However, δ = lcm { 2 } = 2 and B = { y − 1 } , so 2 � F 5 : ( y − 1 < y − 1 + j ∧ y − 1 + j < y + 1 ∧ 2 | y − 1 + j ) j =1 Simplifying, 2 � F 5 : (0 < j ∧ j < 2 ∧ 2 | y − 1 + j ) j =1 and then F 5 : 2 | y , which is quantifier-free and � T Z -equivalent to F . 7- 20

Two Improvements: A. Symmetric Elimination In step 5, if there are fewer (A) literals x ′ < a than (B) literals b < x ′ . Construct the right infinite projection F + ∞ [ x ′ ] from F 4 [ x ′ ] by replacing each (A) literal x ′ < a by ⊥ and each (B) literal b < x ′ by ⊤ . Then right elimination. δ δ � � � F 5 : F + ∞ [ − j ] ∨ F 4 [ a − j ] . j =1 j =1 a ∈ A 7- 21